On premises access to Azure files services

Posted on March 1, 2016 by workinghardinit

Today we’ll have some fun with an Azure storage account and file services. We’ll show that you can actually get on premises access to Azure files services. You might not have tried this yet but you can expose this file share to your on premises physical or virtual machine as long as it’s an operating system supporting SMB 3.X. That means, Windows 8/8.1/10 and Windows 2012/2012R2 and 2016.

Realize that this is just a demo. Exposing an Azure File Services share to “and users” is not the primary use case for an Azure file service. It meant for applications in both public and hybrid cloud scenarios.

You set up an Azure file service (a file share) in a storage account. just like you do blobs, tables or queues.

What you need to access such a file share is the path to the share on your storage account on Azure and an access key

All you need to do is open up a command prompt and type

net use T: \\democloudwitness.file.core.windows.net\cloudsmb /u:democloudwitness Qzd4/fhHrt!45f*5652ddehse4qfjfqsfpKDMP45Hdg8etDlg2fyr8dtR^_pmL9QzedtrMhLcxo7Rsdew4U4E7A==

It’s a FAKE access key people, don’t bother. If you did not make a mistake it will report success and you have access to the Azure file share via letter T: from any interface that supports them.

But even if you did not, you can just enter the storage account and the access key to get access just like any other file share.

Voila, you have mapped that cloud share to your on premises machine. There’s no local users or AD based security settings so you can do whatever you want in regards to adding or deleting data. The storage account access key are literally the keys to the kingdom.

That’s right. It’s not limited to virtual machines or services in Azure nowadays. No need for a VPN or Express Route to Azure any more. Just an internet connection that allows you to connect remotely to port 445.

Pretty cool. Sure, end users are not the primary use case for this feature but it’s certainly nice to see what the capabilities are.

Security wise you might have some objections. In reality it’s just another way people don’t realize yet that data might be leaving the organization. No need to panic or to create a fuzz. Chances are most people have a dozen more popular and better known ways of getting data in and out in many environments. But if you have a dreamy eyed security officer whose mainly in place because they’re convenient, you can scare him/her a little with this. Let’s imagine you’re working at one of those <sarcasm> rare </sarcasm> companies where the firewall only seems to works in one way, for the ingress traffic. Egress is free fire zone as it avoids many support tickets and issues. That it opens the gates to others is another issue, but hey, the firewall is dead in the brave new world of BYOD and IoT anyway. What if you need some extra storage, temporarily, but you can’t get it on the file servers? Nor do they want to give you an external disk, a large thumb drive, or let you bring one in yourself. Maybe they’ve even spent money on disabling some of the USB ports or glued them up. Well get a trial account for Azure, set up the above. You’ll have a temp data dump that you can access from another location just as easily. I actually had more issues at home with my UTM firewall than in the few business settings where I tested this. Some ISPs do block this port outbound. So be ware when testing at home

Now forget about the security officer bashing and FUD. The real take away here is that you can expose a file share for an application easily both inside of Azure and on premises. That’s a powerful thing to do and it’s actually documented. It helps in new cloud service development, hybrid scenarios, migration or transition scenarios etc. All this highly available with the benefits SMB 3.x offers or over REST API. Now, imagine the possibilities! As said, for now there is no Active Directory authentication support, but who knows what the future brings? You can read more about getting started with Azure file services here.

Azure AD Connect 1.1.105.0 is GA

Posted on February 23, 2016 by workinghardinit

On February 18th 2016 Microsoft released a significant update to Azure AD Connect, version 1.1.105.0. It adds some capabilities and improves on others. For me this is a core piece of the puzzle today and in the future for many of my plans to optimize the future IT Infrastructure & DevOps. Even when politics seem hell bound on slowing you down and cause a serious delay and missed opportunities this piece of technology is key in breaking through those barriers and keep moving ahead.

So what’s in the box with version 1.1.105.0

Automatic upgrade feature for Express settings customers.
Support for the global admin using MFA and PIM in the installation wizard.
We can change the user’s sign-in method after initial install.
We can now set Domain and OU filtering in the installation wizard. As a secondary benefit this means we can now connect to forests where not all domains are available.
We get a Scheduler is built-in to the sync engine.

Some preview features are now GA:

We get one new preview features which is going to be a hit in world where patience disappeared from the equation:

The default sync interval is now 30 minutes instead of 3 hours before. this is configurable now in the scheduler.

It also fixes the following issues:

The verify DNS domains page didn’t always recognize the domains.
Prompts for domain admin credentials when configuring ADFS.
On-premises AD accounts are not recognized by the installation wizard when they are in a domain with a different DNS tree than the root domain.

Grab the latest version of Azure AD Connect here.

Dell Compellent SCOS 6.7 ODX Bug Heads Up

Posted on February 22, 2016 by workinghardinit

100

UPDATE 3: Bad and disappointing news. After update 2 we’ve seen DELL change the CSTA (CoPilot Services Technical Alert) on the customer website to “’will be fixed” in a future version. No according to the latest comment on this blog post that would be In Q1 2017. Basically this is unacceptable and it’s a shame to see a SAN that was one of the best when in comes to Hyper-V Support in Windows Server 2012 / 2012 R2 decline in this way. If 7.x is required for Windows Server 2016 Support this is pretty bad as it means early adopters are stuck or we’ll have to find an recommend another solution. This is not a good day for Dell storage.

UPDATE 2: As you can read in the comments below people are still having issues. Do NOT just update without checking everything.

~~UPDATE: This issue has been resolved in Storage Center 6.7.10 and 7.X~~

~~If you have 6.7.x below 6.7.10 it’s time to think about moving to 6.7.10!~~

No vendor is exempt form errors, issues, mistakes and trouble with advances features and unfortunately Dell Compellent has issues with Windows Server 2012 (R2) ODX in the current release of SCOS 6.7. Bar a performance issue in a 6.4 version they had very good track record in regards to ODX, UNMAP, … so far. But no matter how good your are, bad things can happen.

I’ve had to people who were bitten by it contact me. The issue is described below.

In SCOS 6.7 an issue has been determined when the ODX driver in Windows Server 2012 requests an Extended Copy between a source volume which is unknown to the Storage Center and a volume which is presented from the Storage Center. When this occurs the Storage Center does not respond with the correct ODX failure code. This results in the Windows Server 2012 not correctly recognizing that the source volume is unknown to the Storage Center. Without the failure code Windows will continually retry the same request which will fail. Due to the large number of failed requests, MPIO will mark the path as down. Performing ODX operations between Storage Center volumes will work and is not exposed to this issue.

You might think that this is not a problem as you might only use Compellent storage but think again. Local disks on the hosts where data is stored temporarily and external storage you use to transport data in and out of your datacenter, or copy backups to are all use cases we can encounter. When ODX is enabled, it is by default on Windows 2012(R2), the file system will try to use it and when that fails use normal (non ODX) operations. All of this is transparent to the users. Now MPIO will mark the Compellent path as down. Ouch. I will not risk that. Any IO between an non Compellent LUN and a Compellent LUN might cause this to happen.

The only workaround for now is to disable ODX on all your hosts. To me that’s unacceptable and I will not be upgrading to 6.7 for now. We rely on ODX to gain performance benefits at both the physical and virtual layer. We even have our SMB 3 capable clients in the branch offices leverage ODX to avoid costly data copies to our clustered Transparent Failover File Servers.

When a version arrives that fix the issue I’Il testing even more elaborate than before. We’ve come to pay attention to performance issues or data corruption with many vendors, models and releases but this MPIO issue is a new one for me.

RD Gateway Management Console crashes with .NET framework 4.6.1 update (KB3102467)

Posted on February 15, 2016 by workinghardinit

UPDATE: KB – the June 2016 update rollup KB 3161606 June 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 contains the fix for this. See KB3162871 RD Gateway Manager console crashes with the latest .NET Framework 4.6.1 update on Windows Server 2012 R2

Apparently the Exchange console and Skype for Business Server 2015 is not the only victim of Microsoft pushing out the .NET framework 4.6.1 update (KB3102467) to servers via Windows updates and WSUS. A colleague of mine described Windows updates as a game of Russian roulette, indicating there’s al least a QA concern …

The most recent victim I found was the RD Gateway management console on Windows Server 2012 R2. You might have the same issue on older Windows Versions but I’m only running W2K12R2 (it’s 2016 after all).

The result is that when you’re editing a Connection Authorization Policies or Resource Authorization Policies their membership settings (adding/removing groups) the MMC just crashes. Creating new ones is equally problematic!

You see the following errors logged in the event viewer:

Faulting application name: mmc.exe, version: 6.3.9600.17415, time stamp: 0x54504e26
Faulting module name: clr.dll, version: 4.6.1055.0, time stamp: 0x563c12de
Exception code: 0xc0000409
Fault offset: 0x00000000002fdbd8
Faulting process id: 0x12ec
Faulting application start time: 0x01d166820b2de977
Faulting application path: C:\Windows\system32\mmc.exe
Faulting module path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Report Id: 57bbb59c-d275-11e5-9440-00155dd2ca06
Faulting package full name:
Faulting package-relative application ID:

Followed by

The culprit once again is the .NET Framework 4.6.1 update (KB3102467) for Microsoft Windows.

Get rid of that update to restore functionality. Come on Microsoft, Quality assurance! You need people to update ever faster for both security reasons and in order to keep up with technologies and the cloud cadence. You need to make sure they can do so without worrying all the time!

Working Hard In IT

My view on IT from the trenches

Category Archives: IT Pro

Azure AD Connect 1.1.105.0 is GA

Dell Compellent SCOS 6.7 ODX Bug Heads Up

RD Gateway Management Console crashes with .NET framework 4.6.1 update (KB3102467)